Opened 15 years ago
Closed 12 years ago
#11695 closed defect (bug) (worksforme)
Comments on private posts can be view by anyone via RSS
Reported by: | palotasb | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | normal | Version: | |
Component: | Comments | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
If you consider that comments on a private post can contain confidential information, this is a security bug or privacy/information disclosure vulnerability.
To reproduce, create a private post and try to view the post's comment feed after you've logged out. You can see the comments, but you shouldn't.
A temporary solution is to install the plugin I've attached to this ticket, but the real solution is to modify core files.
Attachments (3)
Change History (16)
#1
@
15 years ago
There's also a URL parameter that converts it from a comments feed to a single post feed, so the post is probably accessible as well here.
#2
@
15 years ago
I suggest we change this ticket's reporting, and switch it to: drop private posts support in core, and make it plugin material. In addition to the performance problem that private posts cause, there are just so many tickets related to viewing private posts or a private post's comments by users who shouldn't be able to.
#3
@
15 years ago
Denis, I've learned from previous experiences that hijacking tickets like that isn't a good ideea.
You should create a new ticket with your proposal and reference all the other tickets you mentioned, including this one.
#8
@
14 years ago
- Keywords has-patch dev-feedback added
Is this still an active ticket? I've attached a solution that intercepts at the do_action function.
My initial thought was to modify inside query.php, which I was able to do successfully - suppressing all comments from being printed, but the post Title was still displayed in the RSS feed header.
I looked at several different places to insert code like this and do_feed seemed like the best solution. Thoughts?
#11
@
14 years ago
We need to pull in the queried object's post type and do cap->read_private_posts, rather than a raw cap check.
#12
@
12 years ago
Is this bug still occurring?
I just tested it with private and password protected posts. Private posts comment feed returned 404, on password protected posts the comment content was hidden with the notification message to enter the password.
#13
@
12 years ago
- Keywords featured removed
- Milestone Future Release deleted
- Resolution set to worksforme
- Status changed from new to closed
I could not reproduce this using the steps provided in the description neither in 2.8 or 2.9 (when the ticket was created), nor in current trunk.
When a logged out user tries to view a private post's comment feed, $wp_query->posts
is set to an empty array due to the check in get_posts()
:
http://core.trac.wordpress.org/browser/tags/3.4.1/wp-includes/query.php#L2674
handle_404()
then issues a 404 error:
http://core.trac.wordpress.org/browser/tags/3.4.1/wp-includes/class-wp.php#L463
Feel free to reopen with more information if there's still a problem.
Plugin replaces the content of comments on private posts with the text ("Enter your password to view comments").